Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit_kernel.h
+++ new/usr/src/uts/common/c2/audit_kernel.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
23 24 */
24 25
25 26 #ifndef _BSM_AUDIT_KERNEL_H
26 27 #define _BSM_AUDIT_KERNEL_H
27 28
28 29
29 30 /*
30 31 * This file contains the basic auditing control structure definitions.
31 32 */
32 33
34 +#include <c2/audit.h>
33 35 #include <c2/audit_kevents.h>
34 36 #include <sys/priv_impl.h>
35 37 #include <sys/taskq.h>
36 38 #include <sys/zone.h>
37 39
38 40 #include <sys/tsol/label.h>
39 41
40 42 #ifdef __cplusplus
41 43 extern "C" {
42 44 #endif
43 45
44 46 /*
45 47 * This table contains the mapping from the system call ID to a corresponding
46 48 * audit event.
47 49 *
48 50 * au_init() is a function called at the beginning of the system call that
49 51 * performs any necessary setup/processing. It maps the call into the
50 52 * appropriate event, depending on the system call arguments. It is called
51 53 * by audit_start() from trap.c .
52 54 *
53 55 * au_event is the audit event associated with the system call. Most of the
54 56 * time it will map directly from the system call i.e. There is one system
55 57 * call associated with the event. In some cases, such as shmsys, or open,
56 58 * the au_start() function will map the system call to more than one event,
57 59 * depending on the system call arguments.
58 60 *
59 61 * au_start() is a function that provides per system call processing at the
60 62 * beginning of a system call. It is mainly concerned with preseving the
61 63 * audit record components that may be altered so that we can determine
62 64 * what the original paramater was before as well as after the system call.
63 65 * It is possible that au_start() may be taken away. It might be cleaner to
64 66 * define flags in au_ctrl to save a designated argument. For the moment we
65 67 * support both mechanisms, however the use of au_start() will be reviewed
66 68 * for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
67 69 *
68 70 * au_finish() is a function that provides per system call processing at the
69 71 * completion of a system call. In certain circumstances, the type of audit
70 72 * event depends on intermidiate results during the processing of the system
71 73 * call. It is called in audit_finish() from trap.c .
72 74 *
73 75 * au_ctrl is a control vector that indicates what processing might have to
74 76 * be performed, even if there is no auditing for this system call. At
75 77 * present this is mostly for path processing for chmod, chroot. We need to
76 78 * process the path information in vfs_lookup, even when we are not auditing
77 79 * the system call in the case of chdir and chroot.
78 80 */
79 81 /*
80 82 * Defines for au_ctrl
81 83 */
82 84 #define S2E_SP TAD_SAVPATH /* save path for later use */
83 85 #define S2E_MLD TAD_MLD /* only one lookup per system call */
84 86 #define S2E_NPT TAD_NOPATH /* force no path in audit record */
85 87 #define S2E_PUB TAD_PUBLIC_EV /* syscall is defined as a public op */
86 88
87 89 /*
88 90 * At present, we are using the audit classes imbedded with in the kernel. Each
89 91 * event has a bit mask determining which classes the event is associated.
90 92 * The table audit_e2s maps the audit event ID to the audit state.
91 93 *
92 94 * Note that this may change radically. If we use a bit vector for the audit
93 95 * class, we can allow granularity at the event ID for each user. In this
94 96 * case, the vector would be determined at user level and passed to the kernel
95 97 * via the setaudit system call.
96 98 */
97 99
98 100 /*
99 101 * The audit_pad structure holds paths for the current root and directory
100 102 * for the process, as well as for open files and directly manipulated objects.
101 103 * The reference count minimizes data copies since the process's current
102 104 * directory changes very seldom.
103 105 */
104 106 struct audit_path {
105 107 uint_t audp_ref; /* reference count */
106 108 uint_t audp_size; /* allocated size of this structure */
107 109 uint_t audp_cnt; /* number of path sections */
108 110 char *audp_sect[1]; /* path section pointers */
109 111 /* audp_sect[0] is the path name */
110 112 /* audp_sect[1+] are attribute paths */
111 113 };
112 114
113 115 /*
114 116 * The structure of the terminal ID within the kernel is different from the
115 117 * terminal ID in user space. It is a combination of port and IP address.
116 118 */
117 119
118 120 struct au_termid {
119 121 dev_t at_port;
120 122 uint_t at_type;
121 123 uint_t at_addr[4];
122 124 };
123 125 typedef struct au_termid au_termid_t;
124 126
125 127 /*
126 128 * Attributes for deferring the queuing of an event.
127 129 */
128 130 typedef struct au_defer_info {
129 131 struct au_defer_info *audi_next; /* next on linked list */
130 132 void *audi_ad; /* audit record */
131 133 au_event_t audi_e_type; /* audit event id */
132 134 au_emod_t audi_e_mod; /* audit event modifier */
133 135 int audi_flag; /* au_close*() flags */
134 136 timestruc_t audi_atime; /* audit event timestamp */
135 137 } au_defer_info_t;
136 138
137 139 /*
138 140 * The structure p_audit_data hangs off of the process structure. It contains
139 141 * all of the audit information necessary to manage the audit record generation
140 142 * for each process.
141 143 *
142 144 * The pad_lock is constructed in the kmem_cache; the rest is combined
143 145 * in a sub structure so it can be copied/zeroed in one statement.
144 146 *
145 147 * The members have been reordered for maximum packing on 64 bit Solaris.
146 148 */
147 149 struct p_audit_data {
148 150 kmutex_t pad_lock; /* lock pad data during changes */
149 151 struct _pad_data {
150 152 struct audit_path *pad_root; /* process root path */
151 153 struct audit_path *pad_cwd; /* process cwd path */
152 154 au_mask_t pad_newmask; /* pending new mask */
153 155 int pad_flags;
154 156 } pad_data;
155 157 };
156 158 typedef struct p_audit_data p_audit_data_t;
157 159
158 160 #define pad_root pad_data.pad_root
159 161 #define pad_cwd pad_data.pad_cwd
160 162 #define pad_newmask pad_data.pad_newmask
161 163 #define pad_flags pad_data.pad_flags
162 164
163 165 /*
164 166 * Defines for process audit flags (pad_flags)
165 167 */
166 168 #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */
167 169
168 170 extern kmem_cache_t *au_pad_cache;
169 171
170 172 /*
171 173 * Defines for thread audit control/status flags (tad_ctrl)
172 174 */
173 175 #define TAD_ABSPATH 0x00000001 /* path from lookup is absolute */
174 176 #define TAD_ATCALL 0x00000002 /* *at() syscall, like openat() */
175 177 #define TAD_ATTPATH 0x00000004 /* attribute file lookup */
176 178 #define TAD_CORE 0x00000008 /* save attribute during core dump */
177 179 #define TAD_ERRJMP 0x00000010 /* abort record generation on error */
|
↓ open down ↓ |
135 lines elided |
↑ open up ↑ |
178 180 #define TAD_MLD 0x00000020 /* system call involves MLD */
179 181 #define TAD_NOATTRB 0x00000040 /* do not automatically add attribute */
180 182 #define TAD_NOAUDIT 0x00000080 /* discard audit record */
181 183 #define TAD_NOPATH 0x00000100 /* force no paths in audit record */
182 184 #define TAD_PATHFND 0x00000200 /* found path, don't retry lookup */
183 185 #define TAD_PUBLIC_EV 0x00000400 /* syscall is defined as a public op */
184 186 #define TAD_SAVPATH 0x00000800 /* save path for further processing */
185 187 #define TAD_TRUE_CREATE 0x00001000 /* true create, file not found */
186 188
187 189 /*
190 + * These types implement the interface between a consumer and FS for handling
191 + * SACL-based File Access Auditing. A consumer zeroes out the appropriate
192 + * t_audit_sacl_t in T2A(curthread), then sets tad_sacl_ctrl to one of
193 + * sacl_audit_ctrl_t. The FS, when auditing of SACLs is enabled, checks to see
194 + * if tad_sacl_ctrl is not NONE. If so, it collects information from the
195 + * object's SACL (such as NFSv4 Audit and Alarm type ACEs), and stores
196 + * representative Success and Failure masks in the t_audit_sacl_t structure.
197 + * The consumer then compares the requested access to the appropriate mask in
198 + * order to determine whether an audit record should be generated.
199 + */
200 +typedef struct t_audit_sacl {
201 + uint32_t tas_smask;
202 + uint32_t tas_fmask;
203 +} t_audit_sacl_t;
204 +
205 +typedef enum sacl_audit_ctrl {
206 + SACL_AUDIT_NONE = 0,
207 + SACL_AUDIT_ON,
208 + SACL_AUDIT_ALL,
209 + SACL_AUDIT_NO_SRC
210 +} sacl_audit_ctrl_t;
211 +
212 +/*
188 213 * The structure t_audit_data hangs off of the thread structure. It contains
189 214 * all of the audit information necessary to manage the audit record generation
190 215 * for each thread.
191 216 *
192 217 */
193 218
194 219 struct t_audit_data {
195 220 kthread_id_t tad_thread; /* DEBUG pointer to parent thread */
196 221 unsigned int tad_scid; /* system call ID for finish */
197 222 au_event_t tad_event; /* event for audit record */
198 223 au_emod_t tad_evmod; /* event modifier for audit record */
199 224 int tad_ctrl; /* audit control/status flags */
200 225 void *tad_errjmp; /* error longjmp (audit record aborted) */
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
201 226 int tad_flag; /* to audit or not to audit */
202 227 uint32_t tad_audit; /* auditing enabled/disabled */
203 228 struct audit_path *tad_aupath; /* captured at vfs_lookup */
204 229 struct audit_path *tad_atpath; /* openat prefix, path of fd */
205 230 caddr_t tad_ad; /* base of accumulated audit data */
206 231 au_defer_info_t *tad_defer_head; /* queue of records to defer */
207 232 /* until syscall end: */
208 233 au_defer_info_t *tad_defer_tail; /* tail of defer queue */
209 234 priv_set_t tad_sprivs; /* saved (success) used privs */
210 235 priv_set_t tad_fprivs; /* saved (failed) used privs */
236 + sacl_audit_ctrl_t tad_sacl_ctrl;
237 + sacl_audit_ctrl_t tad_sacl_backup;
238 + t_audit_sacl_t tad_sacl_mask;
239 + t_audit_sacl_t tad_sacl_mask_src;
240 + t_audit_sacl_t tad_sacl_mask_dest;
211 241 };
212 242 typedef struct t_audit_data t_audit_data_t;
213 243
214 244 /*
215 245 * The f_audit_data structure hangs off of the file structure. It contains
216 246 * three fields of data. The audit ID, the audit state, and a path name.
217 247 */
218 248
219 249 struct f_audit_data {
220 250 kthread_id_t fad_thread; /* DEBUG creating thread */
221 251 int fad_flags; /* audit control flags */
222 252 struct audit_path *fad_aupath; /* path from vfs_lookup */
223 253 };
224 254 typedef struct f_audit_data f_audit_data_t;
225 255
226 256 #define FAD_READ 0x0001 /* read system call seen */
227 257 #define FAD_WRITE 0x0002 /* write system call seen */
228 258
229 259 #define P2A(p) (p->p_audit_data)
230 260 #define T2A(t) (t->t_audit_data)
231 261 #define U2A(u) (curthread->t_audit_data)
232 262 #define F2A(f) (f->f_audit_data)
233 263
234 264 #define u_ad ((U2A(u))->tad_ad)
235 265 #define ad_ctrl ((U2A(u))->tad_ctrl)
236 266 #define ad_flag ((U2A(u))->tad_flag)
237 267
238 268 #define AU_BUFSIZE 128 /* buffer size for the buffer pool */
239 269
240 270 struct au_buff {
241 271 char buf[AU_BUFSIZE];
242 272 struct au_buff *next_buf;
243 273 struct au_buff *next_rec;
244 274 ushort_t rec_len;
245 275 uchar_t len;
246 276 uchar_t flag;
247 277 };
248 278
249 279 typedef struct au_buff au_buff_t;
250 280
251 281 /*
252 282 * Kernel audit queue structure.
253 283 */
254 284 struct audit_queue {
255 285 au_buff_t *head; /* head of queue */
256 286 au_buff_t *tail; /* tail of queue */
257 287 ssize_t cnt; /* number elements on queue */
258 288 size_t hiwater; /* high water mark to block */
259 289 size_t lowater; /* low water mark to restart */
260 290 size_t bufsz; /* audit trail write buffer size */
261 291 size_t buflen; /* audit trail buffer length in use */
262 292 clock_t delay; /* delay before flushing queue */
263 293 int wt_block; /* writer is blocked (1) */
264 294 int rd_block; /* reader is blocked (1) */
265 295 kmutex_t lock; /* mutex lock for queue modification */
266 296 kcondvar_t write_cv; /* sleep structure for write block */
267 297 kcondvar_t read_cv; /* sleep structure for read block */
268 298 };
269 299
270 300
271 301 union rval;
272 302 struct audit_s2e {
273 303 au_event_t (*au_init)(au_event_t);
274 304 /* convert au_event to real audit event ID */
275 305
276 306 int au_event; /* default audit event for this system call */
277 307 void (*au_start)(struct t_audit_data *);
278 308 /* pre-system call audit processing */
279 309 void (*au_finish)(struct t_audit_data *, int, union rval *);
280 310 /* post-system call audit processing */
281 311 int au_ctrl; /* control flags for auditing actions */
282 312 };
283 313
284 314 extern struct audit_s2e audit_s2e[];
285 315
286 316 #define AUK_VALID 0x5A5A5A5A
287 317 #define AUK_INVALID 0
288 318 /*
289 319 * per zone audit context
290 320 */
291 321 struct au_kcontext {
292 322 uint32_t auk_valid;
293 323 zoneid_t auk_zid;
294 324
295 325 boolean_t auk_hostaddr_valid;
296 326 int auk_sequence;
297 327 int auk_auditstate;
298 328 int auk_output_active;
299 329 struct vnode *auk_current_vp;
300 330 uint32_t auk_policy;
301 331
302 332 struct audit_queue auk_queue;
303 333
304 334 au_dbuf_t *auk_dbuffer; /* auditdoor output */
305 335
306 336 au_stat_t auk_statistics;
307 337
308 338 k_auditinfo_addr_t auk_info;
309 339 kmutex_t auk_eagain_mutex; /* door call retry */
310 340 kcondvar_t auk_eagain_cv;
311 341
312 342 taskq_t *auk_taskq; /* output thread */
313 343
314 344 /* Only one audit svc per zone at a time */
315 345 /* With the elimination of auditsvc, can this also go? see 6648414 */
316 346 kmutex_t auk_svc_lock;
317 347
318 348 au_state_t auk_ets[MAX_KEVENTS + 1];
319 349 };
320 350 #ifndef AUK_CONTEXT_T
321 351 #define AUK_CONTEXT_T
322 352 typedef struct au_kcontext au_kcontext_t;
323 353 #endif
324 354
325 355 extern zone_key_t au_zone_key;
326 356
327 357 /*
328 358 * Kernel auditing external variables
329 359 */
330 360 extern uint32_t audit_policy;
331 361 extern int audit_active;
332 362
333 363 extern struct audit_queue au_queue;
334 364 extern struct p_audit_data *pad0;
335 365 extern struct t_audit_data *tad0;
336 366
337 367 /*
338 368 * audit_path support routines
339 369 */
340 370 void au_pathhold(struct audit_path *);
341 371 void au_pathrele(struct audit_path *);
342 372 struct audit_path *au_pathdup(const struct audit_path *, int, int);
343 373
344 374 void au_pad_init(void);
345 375
346 376 int auditctl(int cmd, caddr_t data, int length);
347 377 int auditdoor(int fd);
348 378 int getauid(caddr_t);
349 379 int setauid(caddr_t);
350 380 int getaudit(caddr_t);
351 381 int getaudit_addr(caddr_t, int);
352 382 int setaudit(caddr_t);
353 383 int setaudit_addr(caddr_t, int);
354 384
355 385 /*
356 386 * Macros to hide asynchronous, non-blocking audit record start and finish
357 387 * processing.
358 388 *
359 389 * NOTE: must be used in (void) funcction () { ... }
360 390 */
361 391
362 392 #define AUDIT_ASYNC_START(rp, audit_event, sorf) \
363 393 { \
364 394 label_t jb; \
365 395 if (setjmp(&jb)) { \
366 396 /* cleanup any residual audit data */ \
367 397 audit_async_drop((caddr_t *)&(rp), 0); \
368 398 return; \
369 399 } \
370 400 /* auditing enabled and we're preselected for this event? */ \
371 401 if (audit_async_start(&jb, audit_event, sorf)) { \
372 402 return; \
373 403 } \
374 404 }
375 405
376 406 #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \
377 407 audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \
378 408 event_time);
379 409
380 410
381 411 #ifdef _KERNEL
382 412 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *);
383 413 #endif
384 414
385 415 /*
386 416 * Macro for uniform "subject" token(s) generation
387 417 */
388 418 #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \
389 419 (au_write((u), au_to_subject(crgetuid(c), \
390 420 crgetgid(c), crgetruid(c), crgetrgid(c), \
391 421 p, (a)->ai_auid, (a)->ai_asid, \
392 422 &((a)->ai_termid)))); \
393 423 ((is_system_labeled()) ? au_write((u), \
394 424 au_to_label(CR_SL((c)))) : (void) 0); \
395 425 (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\
396 426 au_to_groups(crgetgroups(c), \
397 427 crgetngroups(c))) : (void) 0)
398 428
399 429 #define AUDIT_SETSUBJ(u, c, a, k) \
400 430 AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid)
401 431
402 432 #define AUDIT_SETPROC_GENERIC(u, c, a, p) \
403 433 (au_write((u), au_to_process(crgetuid(c), \
404 434 crgetgid(c), crgetruid(c), crgetrgid(c), \
405 435 p, (a)->ai_auid, (a)->ai_asid, \
406 436 &((a)->ai_termid))));
407 437
408 438 #define AUDIT_SETPROC(u, c, a) \
409 439 AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid)
410 440
411 441 /*
412 442 * Macros for type conversion
413 443 */
414 444
415 445 /* au_membuf head, to typed data */
416 446 #define memtod(x, t) ((t)x->buf)
417 447
418 448 /* au_membuf types */
419 449 #define MT_FREE 0 /* should be on free list */
420 450 #define MT_DATA 1 /* dynamic (data) allocation */
421 451
422 452 /* flags to au_memget */
423 453 #define DONTWAIT 0
424 454 #define WAIT 1
425 455
426 456 #define AU_PACK 1 /* pack data in au_append_rec() */
427 457 #define AU_LINK 0 /* link data in au_append_rec() */
428 458
429 459 /* flags to async routines */
430 460 #define AU_BACKEND 1 /* called from softcall backend */
431 461
432 462 #ifdef __cplusplus
433 463 }
434 464 #endif
435 465
436 466 #endif /* _BSM_AUDIT_KERNEL_H */
|
↓ open down ↓ |
216 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX